TTechclick ⚡ XP 0% All lessons
Cato · SASE · Converged SecurityInteractive · L1 / L2 / L3

Cato's Converged Security Stack — FWaaS, SWG, IPS & Anti-Malware in One Pass

Cato runs its whole security stack as cloud-native software inside every PoP, inspecting all your traffic in a single pass under one policy — no appliances to chain or patch. This lesson maps each engine (FWaaS, SWG, IPS, Next-Gen Anti-Malware), shows where TLS inspection fits, and explains why a remote laptop gets the same protection as a branch.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Cato's converged cloud security stack (2026): how FWaaS, SWG, IPS and Next-Gen Anti-Malware run as cloud-native software in every PoP, inspected in a single pass by the SPACE engine under one policy — plus TLS inspection, continuous Cato-managed updates, and one policy for sites, cloud and remote users.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

One pass, every PoP

Converged software vs chained appliances.

 2

FWaaS

Internet Firewall + WAN Firewall segmentation.

 3

SWG · IPS · Anti-Malware

Web, exploits, malware, TLS inspection.

 4

One policy & pitfalls

All edges, fully managed, what to avoid.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Where does Cato's security stack actually run?

Answered in One pass, every PoP.

2. Does FWaaS only control internet-bound traffic?

Answered in FWaaS.

3. What lets the SWG, IPS and anti-malware see threats hidden in HTTPS?

Answered in SWG · IPS · Anti-Malware.

Most engineers think…

Most people picture cloud security as 'a stack of separate products you wire together' — a firewall, then a web gateway, then an IPS, then an anti-malware box, each one decrypting, inspecting and re-encrypting in turn. That model is slow, expensive and a nightmare to patch.

Cato is different: every security function runs as cloud-native software inside every PoP, and all your traffic is inspected in a single pass by the SPACE engine under one converged policy. FWaaS, SWG, IPS and Next-Gen Anti-Malware are not products you chain — they are engines that evaluate the same decrypted traffic together. Cato updates the signatures, engines and rules continuously, and elastic compute means there is nothing to size. That is why a remote laptop gets exactly the same protection as a branch office.

① Converged, single-pass security in every PoP

The single most important idea: Cato's security is cloud-native software that runs in every PoP, not a row of appliances you chain together. When traffic enters the nearest PoP, the SPACE engine (Single Pass Cloud Engine) decrypts and inspects it once, and every security function evaluates that same traffic together under one policy.

Compare that to the old way. A traditional stack sends a packet through a firewall, then a separate web gateway, then an IPS, then an anti-malware box — each one decrypting, inspecting and re-encrypting. That is slow, adds latency at every hop, and forces you to size and patch each box. Cato collapses all of it into a single pass, so there are no appliances to chain or patch and no service-chaining hops.

The payoff is consistency: one policy, one inspection, the same engines applied to all traffic — whether it comes from a site, a cloud resource or a remote user.

Figure 1 — Chained appliances vs converged single pass
The old model hops traffic through separate boxes; Cato inspects it once with all engines under one policy.Chained appliances vs converged single passChained appliancesFirewall, then SWG, then IPS, thenDecrypt and re-encrypt at each hopSize and patch every boxLatency stacks up per hopCato single pass (SPACE)All engines in every PoPDecrypt once, inspect onceCato manages and scales itOne converged policy
The old model hops traffic through separate boxes; Cato inspects it once with all engines under one policy.
Figure 2 — One packet, one pass, every engine
Inside the PoP the SPACE engine runs all security functions on the same traffic in a single pass.One packet, one pass, every engineEnter PoPnearest Cato PoPDecrypt onceTLS inspectionSingle passFWaaS / SWG / IPS / AVOne policyallow or blockForwardto app or internet
Inside the PoP the SPACE engine runs all security functions on the same traffic in a single pass.
Quick check · Q1 of 10 · Understand

What does Cato's 'single pass' (SPACE) actually mean?

Correct: b. SPACE decrypts and inspects each packet once in the PoP; FWaaS, SWG, IPS and anti-malware all evaluate that same traffic together under one policy — no service-chaining hops.
👉 So far: Cato runs its whole security stack as software in every PoP; the SPACE engine inspects all traffic in a single pass under one policy — no appliances to chain or patch.

② FWaaS — Internet Firewall + WAN Firewall segmentation

FWaaS (Firewall as a Service) is a full next-generation firewall delivered from the cloud. It is application-aware — it identifies the actual app, not just a port — and you write rules by application, user and location. There is no firewall box to buy, size or upgrade.

Two firewalls, one policy

FWaaS has two halves that people often confuse. The Internet Firewall controls and inspects traffic going to the internet — outbound web, SaaS and app access — using those app/user/location rules. The WAN Firewall controls site-to-site traffic for segmentation: keeping zones like OT, finance and guest apart so a compromise in one area cannot move freely into another.

The interview trap is assuming FWaaS is internet-only. It is not — the WAN Firewall is how Cato does internal segmentation across your whole network from the same console.

Figure 3 — FWaaS — two firewalls, one console
FWaaS is not internet-only: the Internet Firewall controls outbound traffic and the WAN Firewall segments site-to-site.FWaaS — two firewalls, one consoleInternet FirewallOutbound internet, app / user / location awareWAN FirewallSite-to-site control for segmentation between zonesOne policy engineSame console, same rules across the whole network
FWaaS is not internet-only: the Internet Firewall controls outbound traffic and the WAN Firewall segments site-to-site.
🛰️
SPACE (single pass)
tap to flip

Cato's Single Pass Cloud Engine in every PoP — decrypts once and runs all security engines on the same traffic under one policy.

🧱
FWaaS
tap to flip

Cloud next-gen firewall: an Internet Firewall (outbound, app-aware) plus a WAN Firewall that segments site-to-site traffic. Not internet-only.

🌐
SWG
tap to flip

Secure Web Gateway — URL and category filtering and web access control for all internet-bound traffic.

🛡️
IPS & Anti-Malware
tap to flip

Cloud IPS uses Cato Ctrl signatures and threat intel, continuously updated; Next-Gen Anti-Malware adds signatures, ML and inline scanning for zero-day files.

Always name both firewalls

In an interview, separate the Internet Firewall (outbound internet, app/user/location-aware) from the WAN Firewall (site-to-site segmentation between zones). Saying 'FWaaS is the cloud firewall' is half an answer — the segmentation half is what shows you understand it is not internet-only.

Quick check · Q2 of 10 · Remember

Which part of FWaaS controls site-to-site traffic for segmentation?

Correct: c. The WAN Firewall controls site-to-site traffic so you can segment zones (e.g. OT, finance, guest). The Internet Firewall handles outbound internet traffic; FWaaS is not internet-only.
👉 So far: FWaaS is a cloud next-gen firewall with two halves: the Internet Firewall (outbound, app-aware) and the WAN Firewall (site-to-site segmentation). It is not internet-only.

③ SWG, IPS & Next-Gen Anti-Malware — with TLS inspection

On top of the firewall sit three more engines, all evaluating the same single-pass traffic. The SWG (Secure Web Gateway) does URL and category filtering and web access control — block risky categories, enforce acceptable use, allow or deny by site or category. The IPS is cloud intrusion prevention that stops exploits and network attacks using Cato-managed signatures and threat intelligence from Cato Ctrl / Cato Research Labs; Cato updates it continuously, so you never tune or patch signatures yourself.

Next-Gen Anti-Malware blocks malware with signatures plus machine learning, backed by an inline anti-malware layer (historically powered by SentinelOne) to catch unknown / zero-day files that signatures would miss.

Why TLS inspection is the enabler

Most web traffic is encrypted. Cato performs TLS/SSL inspection in the PoP so the SWG, IPS and anti-malware engines can actually see inside HTTPS. Without it, those engines only see opaque encrypted bytes and encrypted threats sail straight through.

Figure 4 — One single-pass policy, every engine
FWaaS, SWG, IPS and anti-malware all evaluate the same decrypted traffic in the PoP under one policy.One single-pass policy, every engineSPACE enginesingle pass, one policyInternet FirewallWAN Firewall (segment)SWG (URL/category)IPS (exploits)Anti-Malware (files)TLS inspection
FWaaS, SWG, IPS and anti-malware all evaluate the same decrypted traffic in the PoP under one policy.
Leaving TLS inspection off

If TLS inspection is disabled, the SWG, IPS and anti-malware engines only see encrypted bytes, so threats hidden in HTTPS pass straight through. Enable it in the PoP with a bypass list for sensitive categories — otherwise most of your stack is blind.

▶ Watch an exploit in an encrypted download get blocked

How one risky web request is inspected end-to-end in a single pass. Press Play for the healthy path, then Break it to see the classic failure.

① RequestArjun in Coimbatore requests a website that hides an exploit inside an encrypted file download; traffic hits the nearest Cato PoP.
② FWaaS + SWGThe Internet Firewall allows the app by policy and the SWG checks the URL category — both pass, so inspection continues.
③ TLS + IPSTLS inspection decrypts the session in the PoP and the IPS examines the content, spotting the exploit signature.
④ Anti-Malware blockNext-Gen Anti-Malware scans the file, confirms it is malicious, and the single-pass policy blocks the download.
Press Play to step through the healthy single-pass path. Then press Break it.
Quick check · Q3 of 10 · Analyze

Threat detections are almost zero even though staff browse heavily on HTTPS. What is the most likely cause?

Correct: d. Most web traffic is HTTPS. With TLS inspection off, the SWG, IPS and anti-malware engines cannot see inside encrypted sessions, so threats pass uninspected and detections stay near zero.
👉 So far: SWG filters URLs/categories, IPS blocks exploits with continuously-updated Cato Ctrl signatures, and Next-Gen Anti-Malware uses signatures + ML + inline scanning — all made possible on HTTPS by TLS inspection in the PoP.

④ One policy for every edge — fully managed, and the pitfalls

Because the stack lives in every PoP, one converged policy applies to all edges — sites, cloud resources and remote users alike. A work-from-home user routed through the nearest PoP is inspected by the same FWaaS, SWG, IPS and anti-malware engines as a branch office. Write the policy once; it protects everyone identically.

It is also fully managed by Cato: signatures, engines and rules are updated continuously, and elastic cloud compute means there are no sizing or throughput limits to plan — you never resize a box because TLS-decryption load grew.

The pitfalls that trip people up

Three classics: (1) leaving TLS inspection off, which makes the whole stack blind to encrypted threats; (2) assuming FWaaS is internet-only and forgetting the WAN Firewall does segmentation; and (3) treating these as separate products to chain instead of one converged policy. Get those right and the stack does what it promises.

Figure 5 — One policy follows every edge
The same converged policy protects sites, cloud and remote users through the nearest PoP.One policy follows every edgeBranch sitevia nearest PoPCloud resourcesame stackRemote userCato Client to PoPOne policyidentical inspectionCato-managedcontinuous updates
The same converged policy protects sites, cloud and remote users through the nearest PoP.

Priya at Suvarna Textiles in Coimbatore faces this

The threat dashboard shows almost no web or malware detections even though staff browse heavily, so the team suspects the security stack 'isn't working'.

Likely cause

TLS/SSL inspection is disabled, so the mostly-HTTPS traffic flows through the PoP encrypted and the SWG, IPS and anti-malware engines only see opaque bytes.

Diagnosis

In the Cato Management Application, check the TLS Inspection policy state and the threat events — almost all allowed sessions are encrypted-and-uninspected, and the few detections cluster only on rare cleartext traffic.

Cato Management Application ▸ Security ▸ TLS Inspection + Monitoring ▸ Events
Fix

Enable TLS inspection with a sensible bypass list (banking, healthcare, sensitive categories) so the engines can decrypt and inspect in the PoP, and confirm one converged policy covers sites and remote users.

Verify

Re-run browsing and a controlled test download; the dashboard now shows category hits, IPS events and malware blocks on HTTPS, and a remote-user session shows the same protection as a branch.

Prove protection from the events, not a hunch

Never assume the stack is working because traffic flows. The Cato Management Application shows per-session firewall, SWG, IPS and anti-malware events. If detections are near zero on heavy HTTPS browsing, that is the tell that TLS inspection is off — read the events, do not guess.

Quick check · Q4 of 10 · Apply

A work-from-home user connects through the Cato Client. How much of the stack protects them?

Correct: a. One converged policy applies to all edges. A remote user routed through the nearest PoP gets the same single-pass FWaaS, SWG, IPS and anti-malware inspection as a branch office.
👉 So far: One converged policy protects sites, cloud and remote users identically; Cato manages and updates everything, and elastic compute removes sizing limits. Avoid: TLS off, FWaaS-is-internet-only, and chaining instead of converging.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Where does Cato's security stack run?

Correct: b. Every security function runs as cloud-native software inside every PoP, so all edges are inspected by the same engines without on-prem appliances to chain or patch.
Q6 · Understand

Which engine performs URL and category filtering?

Correct: a. The SWG does URL and category filtering and web access control. The IPS stops exploits, the WAN Firewall segments site-to-site traffic, and anti-malware scans files.
Q7 · Apply

You need to keep your OT network separate from your guest and finance zones across all sites. Which part of the stack handles that?

Correct: c. Segmentation between internal zones across sites is site-to-site control — that is the WAN Firewall's job. The Internet Firewall handles outbound internet traffic; the SWG filters web; TLS inspection enables content visibility.
Q8 · Analyze

Why can an exploit hidden in an encrypted download still get caught in a single pass?

Correct: d. TLS inspection decrypts the session inside the PoP, so the IPS can match the exploit signature and anti-malware can scan the file — all in the same single pass under one policy.
Q9 · Evaluate

An interviewer asks how Cato keeps its IPS effective without customer effort. Best answer?

Correct: b. Cato's research team (Cato Ctrl / Cato Research Labs) provides the signatures and threat intelligence, and Cato updates the IPS continuously as a managed service — customers do not tune or patch signatures.
Q10 · Evaluate

What is the strongest reason to enable TLS inspection on the Cato stack?

Correct: c. Most traffic is encrypted; if TLS inspection is off the security engines only see ciphertext and encrypted threats pass uninspected. Enabling it in the PoP (with a sensible bypass list) is what makes the rest of the stack effective.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is Cato's security called 'converged single pass' rather than 'a stack of products'? Then compare with the expert version.

Expert version: Because every security function — FWaaS, SWG, IPS and Next-Gen Anti-Malware — runs as cloud-native software in every PoP, and the SPACE engine decrypts and inspects each packet once while all of those engines evaluate it together under one policy. You are not chaining separate appliances that each decrypt, inspect and re-encrypt; you converge them into a single pass that Cato manages and scales. That is why there is nothing to size or patch, why TLS inspection in the PoP unlocks all the engines at once, and why a remote user gets exactly the same protection as a branch.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Converged security stack
Multiple security functions (firewall, SWG, IPS, anti-malware) delivered as one integrated cloud stack under a single policy, not separate products to chain.
SPACE (Single Pass Cloud Engine)
Cato's engine in every PoP that decrypts and inspects traffic once while all security engines evaluate it together under one policy.
PoP (Point of Presence)
A Cato location on its private global backbone where the full security stack runs as cloud-native software.
FWaaS
Firewall as a Service — a cloud next-gen firewall with an Internet Firewall (outbound, app-aware) and a WAN Firewall (site-to-site segmentation).
SWG
Secure Web Gateway — URL and category filtering and web access control for internet-bound traffic.
IPS
Cloud intrusion prevention that blocks exploits and network attacks using Cato-managed signatures and Cato Ctrl threat intel, continuously updated.
Next-Gen Anti-Malware
Malware prevention combining signatures, machine learning and an inline anti-malware engine to catch unknown / zero-day files.
TLS/SSL inspection
Decrypting encrypted traffic in the PoP so the SWG, IPS and anti-malware engines can inspect it, then re-encrypting it.
Cato Ctrl / Cato Research Labs
Cato's research team that supplies and continuously updates the IPS signatures and threat intelligence.

📚 Sources

  1. Cato Networks — Security as a Service: converged network security in the cloud. catonetworks.com
  2. Cato Networks — Cato SPACE: the Single Pass Cloud Engine architecture. catonetworks.com
  3. Cato Networks — Firewall as a Service (FWaaS): Internet Firewall & WAN Firewall. catonetworks.com
  4. Cato Networks — Cato IPS and Cato Ctrl / Cato Research Labs threat intelligence. catonetworks.com
  5. Cato Networks — Next-Generation Anti-Malware (signatures + machine learning + inline). catonetworks.com
  6. Gartner — Single-Vendor SASE: converging network security functions. gartner.com

What's next?

Got the security stack? Next, go deep on ZTNA / SDP and secure remote access with the Cato Client — how a remote user is identified, posture-checked and given least-privilege access to apps instead of the whole network.

Next · All interview lessons → Practice on exam.techclick.in →